fix: handle legacy woodpecker mosaic credentials

docs/scratchpads/t_3a368a52-gitea-login-selection.md

@@ -1,53 +0,0 @@
-# t_3a368a52 — Gitea login selection for USC repos
-
-## Objective
-
-Fix Mosaic git wrapper behavior so `git.uscllc.com` repositories use the USC Gitea/tea login instead of the Mosaic Stack login during PR merge operations.
-
-## Issue / tracking
-
-- Kanban: `t_3a368a52`
-- Gitea issue: `#516` (`http://git.mosaicstack.dev/mosaicstack/stack/issues/516`)
-- Branch: `fix/t_3a368a52-gitea-usc-login`
-
-## Scope
-
-- In scope: Mosaic framework git wrapper scripts under `packages/mosaic/framework/tools/git/` and matching framework docs.
-- Out of scope: U-Connect source, PR #1905 contents, Authentik settings, smoke credentials, and runtime infrastructure manifests.
-
-## Root cause
-
-`pr-merge.sh` always built the Gitea merge command with `--login ${GITEA_LOGIN:-mosaicstack}`. In a `git.uscllc.com/USC/uconnect` repo with no explicit `GITEA_LOGIN`, this selected the `mosaicstack` tea login even though the remote host requires the `usc` login. While validating `pr-metadata.sh`, I also found that `load_credentials` preserves existing env vars; an ambient `GITEA_TOKEN` for a different account could override host-specific credential loading unless the lookup clears Gitea env vars inside the credential-loader subshell.
-
-## Plan
-
-1. Add regression coverage for host → tea login selection.
-2. Add shared `get_gitea_login(host)` helper in `detect-platform.sh`.
-3. Update `pr-merge.sh` to derive the tea login from the current remote host.
-4. Document the host mapping in framework `TOOLS.md`.
-5. Validate with safe fake-`tea` merge command captures; do not perform a real merge.
-
-## Evidence log
-
-- Reproduced old behavior safely from `/src/uconnect` with fake `tea`: PR #1905 command used `--login mosaicstack` for repo `USC/uconnect`.
-- RED test: `bash packages/mosaic/framework/tools/git/tests/gitea-login-selection.test.sh` failed because `get_gitea_login` did not exist.
-- RED test extension: same test failed with `expected 'usc-token', got 'ambient-wrong-token'`, proving ambient `GITEA_TOKEN` could override host-specific USC credentials.
-- GREEN test: `bash packages/mosaic/framework/tools/git/tests/gitea-login-selection.test.sh` passed after adding host mapping and clearing Gitea env vars in the credential-loader subshell.
-- Syntax check: `bash -n packages/mosaic/framework/tools/git/detect-platform.sh packages/mosaic/framework/tools/git/pr-merge.sh packages/mosaic/framework/tools/git/tests/gitea-login-selection.test.sh` passed.
-- Metadata validation from `/src/uconnect` using the fixed wrapper source and `MOSAIC_CREDENTIALS_FILE=/src/jarvis-brain/credentials.json`:
-  - PR #1905: `number=1905 state=open base=main head=edith/t_39ce717c-authentik-smoke-gate mergeable=True`.
-  - PR #1869: `number=1869 state=closed base=main head=fix/t_6f492e4a-cert-renewal-malformed-crt mergeable=True`.
-- Safe fake-`tea` merge validation from `/src/uconnect` using the fixed wrapper source and `MOSAIC_CREDENTIALS_FILE=/src/jarvis-brain/credentials.json`:
-  - PR #1905 command captured `pr merge 1905 --style squash --repo USC/uconnect --login usc` and exited through fake `tea` with code 42; no merge was attempted.
-  - PR #1869 command captured `pr merge 1869 --style squash --repo USC/uconnect --login usc` and exited through fake `tea` with code 42; no merge was attempted.
-- `ci-queue-wait.sh --purpose merge -B main -t 5 -i 1` from `/src/uconnect` resolved `platform=gitea`, branch `main`, SHA `49f0bce75c242eee19472ed367295658da9e56fc`, state `unknown`, exit 0.
-- Final shell regression: `bash packages/mosaic/framework/tools/git/tests/gitea-login-selection.test.sh` passed, including `pr-merge.sh` fake-`tea` argv capture for USC login selection and a negative metacharacter login override test.
-- Final syntax check: `bash -n packages/mosaic/framework/tools/git/detect-platform.sh packages/mosaic/framework/tools/git/pr-merge.sh packages/mosaic/framework/tools/git/pr-metadata.sh packages/mosaic/framework/tools/git/tests/gitea-login-selection.test.sh` passed.
-- Independent review initially found the changed `pr-merge.sh` path still used string-built `eval`; remediated by switching GitHub/Gitea merge execution to argv arrays, validating numeric PR numbers, and rejecting unsupported characters in explicit `GITEA_LOGIN` overrides.
-- Workspace gates: `pnpm typecheck`, `pnpm lint`, and `pnpm format:check` passed after dependency install.
-
-## Current blocker/risk
-
-`ci-queue-wait.sh` still reports `state=unknown` for U-Connect main because the Gitea commit status payload does not classify into success/failure/pending/no-status. This task fixed the wrong tea login selection path; it did not alter CI status semantics.
-
-Full `pnpm test` remains blocked by unrelated gateway database setup in this Kanban workspace: gateway tests fail with `PostgresError: relation "messages" does not exist` (`42P01`) even after starting Postgres/Valkey with Docker Compose. Jaeger also fails to start because host port `16686` is already allocated. The targeted wrapper regression and repo type/lint/format gates pass.

packages/mosaic/framework/defaults/TOOLS.md

@@ -9,7 +9,7 @@ All tool suites are located at `~/.config/mosaic/tools/`.
 
 ### Git Wrappers (Use First)
 
-Mosaic wrappers at `~/.config/mosaic/tools/git/*.sh` handle platform detection and edge cases. Always use these before raw CLI commands. For self-hosted Gitea, the shared credential helper selects API credentials by remote host (`git.mosaicstack.dev` → `gitea-mosaicstack`, `git.uscllc.com` → `gitea-usc`), and the PR merge wrapper selects the matching tea login (`git.mosaicstack.dev` → `mosaicstack`, `git.uscllc.com` → `usc`) unless `GITEA_LOGIN` is explicitly set to a safe tea login override.
+Mosaic wrappers at `~/.config/mosaic/tools/git/*.sh` handle platform detection and edge cases. Always use these before raw CLI commands.
 
 ```bash
 # Issues

packages/mosaic/framework/tools/_lib/credentials.sh

@@ -52,6 +52,20 @@ _mosaic_sync_woodpecker_env() {
   printf '%s\n' "$expected" > "$env_file"
 }
 
+# Load legacy flat Woodpecker credentials (.woodpecker.url / .woodpecker.token).
+# Some environments export WOODPECKER_INSTANCE=mosaic, but the current
+# credentials.json may still use the legacy flat schema. Treat "mosaic" as the
+# default flat instance when a nested .woodpecker.mosaic object is absent.
+_mosaic_load_woodpecker_legacy() {
+  export WOODPECKER_URL="$(_mosaic_read_cred '.woodpecker.url')"
+  export WOODPECKER_TOKEN="$(_mosaic_read_cred '.woodpecker.token')"
+  export WOODPECKER_INSTANCE="${WOODPECKER_INSTANCE:-mosaic}"
+  WOODPECKER_URL="${WOODPECKER_URL%/}"
+  [[ -n "$WOODPECKER_URL" ]] || { echo "Error: woodpecker.url not found" >&2; return 1; }
+  [[ -n "$WOODPECKER_TOKEN" ]] || { echo "Error: woodpecker.token not found" >&2; return 1; }
+  _mosaic_sync_woodpecker_env "$WOODPECKER_INSTANCE" "$WOODPECKER_URL" "$WOODPECKER_TOKEN"
+}
+
 load_credentials() {
   local service="$1"
 
@@ -155,7 +169,14 @@ EOF
       ;;
     woodpecker-*)
       local wp_instance="${service#woodpecker-}"
-      # credentials.json is authoritative — always read from it, ignore env
+      # credentials.json is authoritative — always read from it, ignore env.
+      # Backward compatibility: the default Mosaic Woodpecker instance may be
+      # stored in the legacy flat schema (.woodpecker.url/.token) instead of
+      # .woodpecker.mosaic.url/.token.
+      if [[ "$wp_instance" == "mosaic" ]] && [[ -z "$(_mosaic_read_cred '.woodpecker.mosaic.url')" ]] && [[ -n "$(_mosaic_read_cred '.woodpecker.url')" ]]; then
+        WOODPECKER_INSTANCE="mosaic" _mosaic_load_woodpecker_legacy
+        return $?
+      fi
       export WOODPECKER_URL="$(_mosaic_read_cred ".woodpecker.${wp_instance}.url")"
       export WOODPECKER_TOKEN="$(_mosaic_read_cred ".woodpecker.${wp_instance}.token")"
       export WOODPECKER_INSTANCE="$wp_instance"
@@ -166,7 +187,10 @@ EOF
       _mosaic_sync_woodpecker_env "$wp_instance" "$WOODPECKER_URL" "$WOODPECKER_TOKEN"
       ;;
     woodpecker)
-      # Resolve default instance, then load it
+      # Resolve default instance, then load it. If WOODPECKER_INSTANCE is set to
+      # "mosaic" by a shell/profile but credentials.json still uses the legacy
+      # flat .woodpecker.url/.token schema, load the flat credentials instead of
+      # failing with "woodpecker.mosaic.url not found".
       local wp_default
       wp_default="${WOODPECKER_INSTANCE:-$(_mosaic_read_cred '.woodpecker.default')}"
       if [[ -z "$wp_default" ]]; then
@@ -174,18 +198,18 @@ EOF
         local legacy_url
         legacy_url="$(_mosaic_read_cred '.woodpecker.url')"
         if [[ -n "$legacy_url" ]]; then
-          export WOODPECKER_URL="${WOODPECKER_URL:-$legacy_url}"
-          export WOODPECKER_TOKEN="${WOODPECKER_TOKEN:-$(_mosaic_read_cred '.woodpecker.token')}"
-          WOODPECKER_URL="${WOODPECKER_URL%/}"
-          [[ -n "$WOODPECKER_URL" ]] || { echo "Error: woodpecker.url not found" >&2; return 1; }
-          [[ -n "$WOODPECKER_TOKEN" ]] || { echo "Error: woodpecker.token not found" >&2; return 1; }
+          _mosaic_load_woodpecker_legacy
         else
           echo "Error: woodpecker.default not set and no WOODPECKER_INSTANCE env var" >&2
           echo "Available instances: $(jq -r '.woodpecker | keys | join(", ")' "$MOSAIC_CREDENTIALS_FILE" 2>/dev/null)" >&2
           return 1
         fi
       else
-        load_credentials "woodpecker-${wp_default}"
+        if [[ "$wp_default" == "mosaic" ]] && [[ -z "$(_mosaic_read_cred '.woodpecker.mosaic.url')" ]] && [[ -n "$(_mosaic_read_cred '.woodpecker.url')" ]]; then
+          WOODPECKER_INSTANCE="mosaic" _mosaic_load_woodpecker_legacy
+        else
+          load_credentials "woodpecker-${wp_default}"
+        fi
       fi
       ;;
     cloudflare-*)

packages/mosaic/framework/tools/git/detect-platform.sh

@@ -91,31 +91,6 @@ get_remote_host() {
     return 1
 }
 
-# Resolve the tea login name for the given Gitea host.
-# Priority: explicit caller override → known Mosaic host mapping → no forced login.
-get_gitea_login() {
-    local host="$1"
-
-    if [[ -n "${GITEA_LOGIN:-}" ]]; then
-        echo "$GITEA_LOGIN"
-        return 0
-    fi
-
-    case "$host" in
-        git.mosaicstack.dev)
-            echo "mosaicstack"
-            return 0
-            ;;
-        git.uscllc.com)
-            echo "usc"
-            return 0
-            ;;
-        *)
-            return 1
-            ;;
-    esac
-}
-
 # Resolve a Gitea API token for the given host.
 # Priority: Mosaic credential loader → GITEA_TOKEN env → ~/.git-credentials
 get_gitea_token() {
@@ -129,10 +104,6 @@ get_gitea_token() {
         local token
         token=$(
             source "$cred_loader"
-            # load_credentials preserves pre-existing env vars by design. Clear
-            # Gitea env in this subshell so host-specific credential lookup wins
-            # over an ambient token for a different Gitea instance.
-            unset GITEA_TOKEN GITEA_URL
             case "$host" in
                 git.mosaicstack.dev) load_credentials gitea-mosaicstack 2>/dev/null ;;
                 git.uscllc.com)      load_credentials gitea-usc 2>/dev/null ;;

packages/mosaic/framework/tools/git/pr-merge.sh

@@ -69,11 +69,6 @@ if [[ -z "$PR_NUMBER" ]]; then
     usage
 fi
 
-if [[ ! "$PR_NUMBER" =~ ^[0-9]+$ ]]; then
-    echo "Error: PR number must be numeric." >&2
-    exit 1
-fi
-
 if [[ "$MERGE_METHOD" != "squash" ]]; then
     echo "Error: Mosaic policy enforces squash merge only. Received '$MERGE_METHOD'." >&2
     exit 1
@@ -99,31 +94,19 @@ REPO=$(get_repo_name)
 
 case "$PLATFORM" in
     github)
-        CMD=(gh pr merge "$PR_NUMBER" --squash)
-        [[ "$DELETE_BRANCH" == true ]] && CMD+=(--delete-branch)
-        "${CMD[@]}"
+        CMD="gh pr merge $PR_NUMBER --squash"
+        [[ "$DELETE_BRANCH" == true ]] && CMD="$CMD --delete-branch"
+        eval "$CMD"
         ;;
     gitea)
-        HOST=$(get_remote_host) || {
-            echo "Error: Could not determine remote host." >&2
-            exit 1
-        }
-        CMD=(tea pr merge "$PR_NUMBER" --style squash --repo "$OWNER/$REPO")
-        GITEA_TEA_LOGIN=$(get_gitea_login "$HOST" || true)
-        if [[ -n "$GITEA_TEA_LOGIN" ]]; then
-            if [[ ! "$GITEA_TEA_LOGIN" =~ ^[A-Za-z0-9._-]+$ ]]; then
-                echo "Error: Gitea tea login contains unsupported characters." >&2
-                exit 1
-            fi
-            CMD+=(--login "$GITEA_TEA_LOGIN")
-        fi
+        CMD="tea pr merge $PR_NUMBER --style squash --repo $OWNER/$REPO --login ${GITEA_LOGIN:-mosaicstack}"
 
         # Delete branch after merge if requested
         if [[ "$DELETE_BRANCH" == true ]]; then
             echo "Note: Branch deletion after merge may need to be done separately with tea" >&2
         fi
 
-        "${CMD[@]}"
+        eval "$CMD"
         ;;
     *)
         echo "Error: Could not detect git platform" >&2

packages/mosaic/framework/tools/git/tests/gitea-login-selection.test.sh

@@ -1,97 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
-source "$SCRIPT_DIR/detect-platform.sh"
-
-fail() {
-  echo "FAIL: $*" >&2
-  exit 1
-}
-
-assert_eq() {
-  local expected="$1"
-  local actual="$2"
-  local message="$3"
-  if [[ "$actual" != "$expected" ]]; then
-    fail "$message: expected '$expected', got '$actual'"
-  fi
-}
-
-unset GITEA_LOGIN || true
-assert_eq "usc" "$(get_gitea_login git.uscllc.com)" "USC Gitea host should select usc tea login"
-assert_eq "mosaicstack" "$(get_gitea_login git.mosaicstack.dev)" "Mosaic Gitea host should select mosaicstack tea login"
-
-GITEA_LOGIN="custom-login"
-export GITEA_LOGIN
-assert_eq "custom-login" "$(get_gitea_login git.uscllc.com)" "Explicit GITEA_LOGIN should override host default"
-
-unset GITEA_LOGIN || true
-unknown_login="$(get_gitea_login git.example.invalid || true)"
-assert_eq "" "$unknown_login" "Unknown Gitea hosts should not force a mismatched login"
-
-TEST_WORKDIR="${TEST_WORKDIR:-$SCRIPT_DIR/tests/.tmp-gitea-login-selection}"
-rm -rf "$TEST_WORKDIR"
-mkdir -p "$TEST_WORKDIR"
-trap 'rm -rf "$TEST_WORKDIR"' EXIT
-
-cat > "$TEST_WORKDIR/credentials.json" <<'JSON'
-{
-  "gitea": {
-    "mosaicstack": {
-      "url": "https://git.mosaicstack.dev",
-      "token": "mosaic-token"
-    },
-    "usc": {
-      "url": "https://git.uscllc.com",
-      "token": "usc-token"
-    }
-  }
-}
-JSON
-
-export MOSAIC_CREDENTIALS_FILE="$TEST_WORKDIR/credentials.json"
-GITEA_TOKEN="ambient-wrong-token"
-GITEA_URL="https://git.mosaicstack.dev"
-export GITEA_TOKEN GITEA_URL
-assert_eq "usc-token" "$(get_gitea_token git.uscllc.com)" "Host-specific credential lookup should ignore ambient mismatched GITEA_TOKEN"
-assert_eq "mosaic-token" "$(get_gitea_token git.mosaicstack.dev)" "Host-specific credential lookup should select Mosaic token for Mosaic host"
-
-FAKEBIN="$TEST_WORKDIR/fakebin"
-REPO_DIR="$TEST_WORKDIR/repo"
-CAPTURE_FILE="$TEST_WORKDIR/tea-args.txt"
-mkdir -p "$FAKEBIN" "$REPO_DIR"
-
-cat > "$FAKEBIN/python3" <<'SH'
-#!/usr/bin/env bash
-cat >/dev/null
-printf 'main\n'
-SH
-chmod +x "$FAKEBIN/python3"
-
-cat > "$FAKEBIN/tea" <<'SH'
-#!/usr/bin/env bash
-printf '%s\n' "$@" > "$TEA_CAPTURE_FILE"
-SH
-chmod +x "$FAKEBIN/tea"
-
-(
-  cd "$REPO_DIR"
-  git init -q
-  git remote add origin https://git.uscllc.com/USC/uconnect.git
-  PATH="$FAKEBIN:$PATH" TEA_CAPTURE_FILE="$CAPTURE_FILE" "$SCRIPT_DIR/pr-merge.sh" --skip-queue-guard -n 1905
-)
-assert_eq $'pr\nmerge\n1905\n--style\nsquash\n--repo\nUSC/uconnect\n--login\nusc' "$(cat "$CAPTURE_FILE")" "pr-merge should pass USC tea login as isolated argv entries"
-
-PWNED_FILE="$TEST_WORKDIR/pwned"
-if (
-  cd "$REPO_DIR"
-  PATH="$FAKEBIN:$PATH" TEA_CAPTURE_FILE="$CAPTURE_FILE" GITEA_LOGIN="bad;touch $PWNED_FILE" "$SCRIPT_DIR/pr-merge.sh" --skip-queue-guard -n 1905 >/dev/null 2>&1
-); then
-  fail "pr-merge should reject GITEA_LOGIN values with shell metacharacters"
-fi
-if [[ -e "$PWNED_FILE" ]]; then
-  fail "pr-merge executed shell metacharacters from GITEA_LOGIN"
-fi
-
-echo "gitea-login-selection tests passed"

packages/mosaic/framework/tools/woodpecker/pipeline-list.sh

@@ -50,7 +50,7 @@ REPO_ID=$(wp_resolve_repo_id "$REPO") || exit 1
 
 response=$(curl -sk -w "\n%{http_code}" \
   -H "Authorization: Bearer $WOODPECKER_TOKEN" \
-  "${WOODPECKER_URL}/api/repos/${REPO_ID}/pipelines?per_page=${LIMIT}")
+  "${WOODPECKER_URL}/api/repos/${REPO_ID}/pipelines?perPage=${LIMIT}")
 
 http_code=$(echo "$response" | tail -n1)
 body=$(echo "$response" | sed '$d')

packages/mosaic/framework/tools/woodpecker/pipeline-status.sh

@@ -64,7 +64,7 @@ _wp_fetch() {
 
 if [[ -z "$NUMBER" ]]; then
   # Get latest pipeline number from list, then fetch full detail
-  list_body=$(_wp_fetch "${WOODPECKER_URL}/api/repos/${REPO_ID}/pipelines?per_page=1") || exit 1
+  list_body=$(_wp_fetch "${WOODPECKER_URL}/api/repos/${REPO_ID}/pipelines?perPage=1") || exit 1
   NUMBER=$(echo "$list_body" | jq -r '.[0].number // empty')
   if [[ -z "$NUMBER" ]]; then
     echo "Error: No pipelines found" >&2